At this point, you have the firewall enabled, and a local administrator cannot disable it. In this step, you complete the configuration of the client computer GPO by adding other frequently used settings to further control the behavior of the firewall on a computer that is running either Windows 7 or Windows Vista.

Any settings in the GPO that you leave on the default value of "Not configured" can be configured by a local administrator. Therefore, you might not want to depend on the default settings. Instead, you should explicitly set those values that you want configured a certain way. The procedures in this section illustrate how to configure other common settings that you typically do not want a local administrator to be able to change.

On MBRSVR1, in the Group Policy Management Editor, right-click Windows Firewall with Advanced Security - LDAP://cn={GUID},cn=policies,cn=system,DC=contoso,DC=com, and then click Properties.

On the Domain Profile tab, in the State section, set Inbound connections to Block (default), and set Outbound connections to Allow (default). This is, of course, the same behavior to which the client is already set, but setting it in the GPO prevents local administrators from changing the settings.

Click OK to save your settings and return to the Group Policy Management Editor.

In the next procedure, you refresh Group Policy on the client, and confirm that locally defined rules and settings cannot block network communications.